A semantic basis for Quest 



Luca Cardelli 

Digital Equipment Corporation 
Systems Research Center 



Giuseppe Longo 1 

LIENS, Ecole Normale Superieure, Paris 



Abstract 



Quest is a programming language based on impredicative type quantifiers and 
subtyping within a three-level structure of kinds, types and type operators, and values. 

The semantics of Quest is rather challenging. In particular, difficulties arise when we 
try to model simultaneously features such as contravariant function spaces, record types, 
subtyping, recursive types, and fixpoints. 

In this paper we describe in detail the type inference rules for Quest, and we give 
them meaning using a partial equivalence relation model of types. Subtyping is 
interpreted as in previous work by Bruce and Longo, but the interpretation of some 
aspects, namely subsumption, power kinds, and record subtyping, is novel. The latter is 
based on a new encoding of record types. 

We concentrate on modeling quantifiers and subtyping; recursion is the subject of 
current work. 
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1. Introduction 

Type theory provides a general framework for studying many advanced programming 
features including polymorphism, abstract types, modules, and inheritance. (See [Cardelli 
Wegner 85] for a survey.) The Quest programming language [Cardelli 89] attempts to take 
advantage of this general framework to integrate such programming constructs into a 
flexible and consistent whole. 

In this paper we focus on the Quest type system, by describing and modeling its most 
interesting features. At the core of this system is a three-level structure of kinds, types 
(and type operators), and values. Within this structure we accommodate impredicative 
type quantifiers and subtyping. Universal type quantifiers can then be used to model type 
operators, polymorphic functions, and ordinary higher-order functions. Existential type 
quantifiers can model abstract types. Subtyping supports (multiple) inheritance, and in 
combination with quantifiers results in bounded-polymorphic functions and partially 
abstract types. Subtyping is realized in a uniform way throughout the system via a notion 
of power kind, where P(A) is the kind of all subtypes of A. 

Formally, Quest is an extension of Girard's Fco [Girard 72] with additional kind 
structure, subtyping structure, recursive types, and fixpoints at all types. Alternatively, it 
is a higher-order extension of the calculus studied in [Curien Ghelli 90], which is the kernel 
of the calculus in [Cardelli Wegner 85]. Recursion is necessary to model programming 
activities adequately, and causes us to abandon the Curry-Howard isomorphism between 
formulas and types. 

New kinds and types can be easily integrated into the basic Quest system to model 
various programming aspects. For example, basic types can be added to model primitive 
values and their relations [Mitchell 84]; record and variant types can be introduced to model 
object-oriented programming [Cardelli 88, Wand 89, Cardelli Mitchell 89, Cook Hill Canning 90]; 
and set types can be introduced to model relational data bases [Ohori 87]. In all these cases, 
subtyping performs a major role. Many of these additional type constructions can 
however be encoded in a very small core system, which is the one we investigate in this 
paper. 

The type rules we consider are very powerful, but not particularly complex or 
unintuitive from a programming perspective. This contrasts with the semantics of Quest, 
which is rather challenging. In particular, difficulties arise when we try to model 
simultaneously features such as contravariant function spaces, record types, subtyping, 
recursive types, and fixpoints. In this paper we concentrate on modeling quantifiers and 
subtyping; recursive types and values are an active subject of research [Amadio 89] [Abadi 

Plotkin 90] [Freyd Mulry Rosolini Scott 90]. 

The model we present for such advanced constructions is particularly simple; the 
basic concepts are built on top of elementary set and recursion theory. This model has 
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been investigated recently within the context of Category Theory, in view of the 
relevance of Kleene's realizability interpretation for Category Theory and Logic. Our 
presentation applies and further develops, in plain terms and with no general categorical 
notions, the work carried on in [Longo Moggi 88] and [Bruce Longo 89]. Our work is also 
indebted to that by Amadio, Mitchell, Freyd, Rosolini, Scedrov, Luo and others (see 
references). 

The presentation of the formal semantics is divided into two parts, corresponding to 
sections 4 and 5, where we discuss variants of the language with and without explicit 
coercions. However, the underlying mathematical structure is the same and the 
interpretations are strictly related. 

We conclude this section with a few examples, both to introduce our notation and to 
provide some motivation. 

The polymorphic identity function below introduces the universal quantifier over 
types (n) along with X-abstraction over types (X(X::TYPE)) and type application, and the 
function space operator (-») along with X-abstraction over values (A,(x:X)) and value 
application: 

let id : n(X::TYPE) (X-*X) = 
X(X::TYPE) X(x:X) x 

id(Int)(3) = 3 : Int 

Abstract types are obtained by existential quantification over types (£) [Mitchell Plotkin 
85]. (As is well known, these existential quantifiers, with their associated primitives, can 
be defined in terms of n and -». Similarly, cartesian product (x), can be defined from -».) 
The following might be the type of a package providing an abstract type X, a constant of 
type X, and an operation from X to Int: 

Z(X::TYPE) (X x (X-»Int)) 

Bounded universal quantifiers allow us to write functions that are polymorphic with 
respect to all the subtypes (<:) of a given type. This is particularly useful for subtypes of 
record types, which are generally meant to model object types in object-oriented 
programming languages. Here ^age:In$ is the type of records that contain a field age of 
type Int, and <age=5, color=red) is a value of type ^age:Int, colorrColor^, which is a 
subtype of ^age:In$. The following ageOf function computes the age of any member of a 
subtype of {(age: Int J). 
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let ageOf : II(X<:«age:Int») (X-*Int) = 
X(X<:«age:Int») X(x:X) x.age 



ageOf(^age:Int, color:Color)))((age=5, color=red>) = 5 : Int 

Bounded existential quantifiers are useful for representing types that are partially 
abstract in the sense that they are known to be subtypes of a given type, but are not 
completely specified: 

£(X<:<foge:Int2>) ... 

Bounded existential quantifiers also model types that are subtypes of abstract or partially 
abstract types: 

E(X<:<foge:Ind>) Z(Y<:X) ... 

These last two features are present, in specific forms, in Modula-3 [Cardelli Donahue 
Glassman Jordan Kalsow Nelson 88]. 

We refer to [Cardelli 89] for detailed programming examples that use the full power of 
the system. 

The paper is organized as follows. Section 2 describes the formal theory of Quest, 
including its typing rules, and can be understood on its own. Sections 3, 4, and 5 are more 
technical and are concerned with semantics. Section 3 provides background material on 
partial equivalence relation (p.e.r.) models, and more specific material on subtyping. 
Section 4 gives meaning to Quest c (with explicit coercions), while section 5 gives 
meaning to Quest (with implicit subsumption). 

2. Quest rules 

In this section we discuss the typing and reduction rules for Quest. We use K,L,M for 
kinds; A,B,C for types and operators; a,b,c for values; X,Y,Z for type and operator 
variables; and x,y,z for value variables. We also use T for the kind of all types, and 5>(B) 
for the kind of subtypes of B. In general, we use capitalized names for kinds and types, 
and lower-case names for values. 
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2.1 Terms 

The pre-terms are described by the following syntax. Only those pre-terms that are 
validated by the rales in the following subsections are legal terms. 



K ::= Kinds 

!P(A) the kind of all subtypes of a type 

n(X::K)L the kind of operators between kinds 

A ::= Types and Operators 

X type and operator variables 

Top the supertype of all types 

n(X::K)B polymorphic types 

A-*B function spaces 

X(X::K)B operators 

B(A) operator application 

(l(X)A recursive types 

a ::= Values 

x value variables 

top the distinguished value of type Top 

X(X::K)b polymorphic functions 

b(A) polymorphic instantiation 

X(x:A)b functions 

b(a) function application 

c A,B( a ) coercions 

(l(x:A)a recursive values 

The following abbreviations will be used: 

T = !P(Top) the kind of all types 

n(X)L = n(X::T)L II(X<:A)L = n(X::!P(A))L 

n(X)B = n(X::T)B n(X<:A)B = n(X::!P(A))B 

X(X)B = X(X::T)B X(X<:A)B = X(X::!P(A))B 

X(X)b = X(X::T)b X(X<:A)b = X(X::<P (A))b 

From the abbreviations above we can see that this calculus includes all the terms of Fu) 
[Girard 72] and Fun [Cardelli Wegner 85]. 
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2.2 Judgments 

The formal rules are based on eight primitive judgment forms plus three derived ones, 
listed below. 



h E env E is an environment 

E h K kind K is a kind (in an environment E) 

EhA::K type A has kind K 

E h A type A is a type (abbr. for E h A: : T) 

E h a:A value a has type A 

E h K<::L kind K is a subkind of kind L 

E h A<:B type A is a subtype of type B (abbr. for E h A::!P(B)) 

E h K<::>L K and L are equivalent kinds 

E h A<:>B::K A and B are equivalent types or operators of kind K 

E h A<:>B type A and B are equivalent types (abbr. for E h A<:>B::T) 

E h a«^»b:A a and b are equivalent values 

A judgment like E h a:A is interpreted as defining a relation between environments, 
value terms, and type terms. This relation is defined inductively by axioms and inference 
rules, as described in the following sections. The rules are then summarized in section 
2.9. 

2.3 Environments and variables 

An environment E is a finite sequence of type variables associated with kinds, and 
value variables associated with types. We use dom(E) for the set of type and value 
variables defined in an environment. 

[Env 0] [Env X] [Env x] 

EhKkind X^dom(E) E h A type x^dom(E) 



h 0 env hE,X::Kenv h E,x:A env 

[Var X] [Var x] 

h E,X: :K,E" env h E',x:A,E" env 



E,X::K,E" h X :: K E,x:A,E" h x : A 
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2.4 Equivalence and inclusion 

Equivalence of kinds (<::>) is the least congruence relation over the syntax of kinds 
that includes the following rale involving type equivalence: 

[KEq 2>] 

E h A<:>A' type 
Eh!P(A) <::>£> (A') 

Equivalence of types and operators (<:>) is the least congruence relation over the 
syntax of types that includes (3 and r\ type conversions (shown later), and the following 
rule for recursive types. Here AlX means that A must be contractive in X in order to 
avoid non- well-founded recursions; see the definition in 2.9. The third rule below claims 
that every contractive context C has a unique fixpoint. 

[TFn] 

E,X::T h A type AlX 
E h (l(X)A type 

[t m 

E,X::T h A type AlX 
E h (i(X)A <:> A{X^|i(X)A} type 

[TEq Contract] 

E h A<:>C{X^A} type E h B<:>C{X^B} type ClX 
E h A <:> B type 

Inclusion of recursive types is given by the following rule, working inductively from the 
inclusion of the recursive variables to the inclusion of the recursive bodies: 

[Tlncl |i] 

Eh|i(X)Atype E h u(Y)B type E, Y::% X<:Y h A <: B 
E h u<X)A <: (i(Y)B 

Equivalence of values (•*-») is the least congruence relation over the syntax of values 
that includes (3 and r| value conversions (shown later), together with the following rule 
for recursive values: 
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E h |i(x:A)b : A 



E h u<x:A)b ^ b{x^(x:A)b} : A 

The rules for recursive types and values will not be modeled in the later sections. 
Nonetheless, we consider them an essential part of the language, and refer the reader to 
[Amadio 89], [Abadi Plotkin 90], and [Freyd Mulry Rosolini Scott 90] for related and ongoing 
work. 

The following rules state that the property of having a kind (respectively a type) is 
invariant under kind (respectively type) equivalence; that is, equivalent kinds and types 
have the same extensions: 

[KExt] (Kind Extension) [TExt] (Type Extension) 

E h A::K EhK<::>L E h a:A Eh A<:>B type 

E h A :: L Eha:B 

The relations of type and kind inclusion are reflexive and transitive: 

[Kind Refl] [Klncl Trans] 

EhK<::>L E h K <:: L E h L <:: M 
EhKcL EhKcM 

[Tlncl Refl] [Tlncl Trans] 

E h A <:> B type E h A <: B E h B <: C 

E h A <: B EhA<:C 

We shall see shortly that the subtype relation is actually defined in terms of power kinds, 
then all the rules written in terms of subtyping are interpreted as rules about power kinds. 

2.5 Subsumption vs. coercion 

The following rules reflect the set- theoretical intuitions behind the subtyping relation. 
We present two alternatives: subsumption and coercion. 

Subsumption formalizes a computationally natural way of looking at subtypes. When 
viewing computations as type-free activities, any element of a type is directly an element 
of its supertypes: 
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[TSub] (Subsumption) 

E h a:A Eh A<:B 
Eha:B 



A mathematical model of Quest with subsumption is given in part 5. That model is 
the main semantic novelty of this paper. 

Before that, in part 4, we consider a system without subsumption, called Quest c . In 
Quest c , subsumption is replaced by a coercion rule, where a value of a type A must be 
explicitly injected into a supertype B by a coercion function c A B . Invariance under type 
inclusion will be true only modulo coercions in the most straightforward semantics given 
in part 4. 



[TSub] (Coercion) 

E h a:A Eh A<:B 
E h c A B (a) : B 



In the semantics of Quest c we obtain a single coercion function c: I1(X::T) I1(Y<:X) 
Y-*X; then c(B)(A) gives meaning to c A B . 

Coercions satisfy the following basic rules; more rules will be given later. 

[VCoer Id / Quest c ] [VCoer Comp / Quest c ] 

Eha:A E h a:A Eh A<:B E h B<:C 

E h c A?A (a) *» a : A Eh c B)C (c A)B (a)) c A?c (a) : C 

The important intuition about coercions is that they involve little, if any, 
computational work. Often they are introduced as identity functions with the only 
purpose of "getting the types right". In compilation practice they are often removed 
during code generation. Semantically, this will be understood in the model for Quest c 
below by observing that they are computed by (indexes of) the identity function. In 
Quest, the subsumption rule above is a strong (or explicit) way of saying that coercions 
have no computational relevance. 

2.6 Power kinds 

For each type A there is a kind P(A) of all subtypes of A. The kind T (Top) is then 
the kind of all types, and is called 1. Here are the formation and introduction rules for <P ; 
the subsumption/coercion rule serves as an elimination rule for T . 
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[KF2>] 

E h A type 



[Tlncl RefT] 

E h A type 



Eh!P(A)kind 



Eh A:: <P(A) 



The subtype judgment E h A<:B is defined as an abbreviation for a judgment 
involving power kinds: 

E h A <: B iff EhA::f(B) 

The subkind judgment E h K<::L is primitive, but has very weak properties. It is 
reflexive and transitive, it extends monotonically to !P , and it extends to n via a covariant 
rule: 

[Kind 2>] [Kind n] 



Note that the first rule above implies 'P(A) <:: 1. 
Moreover, we have a subsumption rule on kinds: 

[KSub] (Kind Subsumption) 

E h A::K EhKcL 
E h A :: L 

Unlike type subsumption, kind subsumption is satisfied by both models in parts 4 and 5. 

2.7 Operator kinds 

The kind of type operators is normally written as K=> L in Fco (operators from kind K 
to kind L). In our system, as in the Theory of Constructions, we use a more general 
construction I1(X::K)L since X may actually occur in L within a power operator, for 
example in I1(X::T) !P(X). 

Individual operators are written X(X::K)A with standard introduction, elimination, 
and computation rules, shown later. 

2.8 The kind of types 

The kind of all types T contains the type Top, the types of polymorphic functions, the 
types of ordinary functions, and the recursive types. 



E h A<:A' 



EhKkind E, X::K h L <:: L' 



Ehf(A) <:: 2>(A') 



Ehn(X::K)L<::n(X::K)L' 
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The type Top is the maximal element in the subtype order: 

[TF Top] [Tlncl Top] 

h E env Eh A type 

E h Top type E h A <: Top 

Hence the power of Top is the collection of all types and, as already mentioned, we can 
define the kind of all types as follows: 

T = !P(Top) 

There is a canonical element of type Top, called top. Moreover, any value belonging 
to Top is indistinguishable from top: 

[VI Top] [VEqTop'] (Top Collapse) 

hEenv E h a:Top E h b:Top 

E h top : Top E h a ^ b : Top 

When using the subsumption rule, we obtain that every value has type Top, since Top 
is the largest type. Moreover, every value is equivalent to top when seen as a member of 
Top, and hence c^xop( a ) *"* C B TopO 5 ) f° r an Y a; A and b:B. By this, when using the 
coercion rule, there is a unique coercion CA,Top( a ) from A into Top. This rather peculiar 
situation will be understood in the semantics by the meaning of <: and by the 
interpretation of Top as the terminal object in the intended category. Top and its 
properties will play a crucial role in the coding of records. 

The types of polymorphic functions are modeled by an impredicative general-product 
construction, n(X::K)B. Although we do not show it here, from this product we can 
derive "weak" general sums, which are used in the Quest language for modeling abstract 
types. 

The standard formation, introduction, elimination, and computation rules (shown in 
section 2.9) are complemented by rules for subtyping and coercion: 

[Tlncl IT] 

EhK'<::K E, X::K' h B<:B' 
E h n(X::K)B <: n(X::K')B' 
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[VCoer n] 

E h b : n(X::K)B E h A : K' Eh n(X::K)B <: n(X::K')B' 
E I" (Cn(X::K)B,n(X::K')B'(b))(A) ^ C B{X ^ A },B'{X-A}(b(A)) : B'{X^A} 

Ordinary higher-type functions are modeled by a function space construction (-»). We 
avoid first-order dependent types (n(x:A)B, which generalize A-*B) because in practice 
they are hard to typecheck and compile. Again, most rules are standard, but we may want 
to notice sub typing and coercion: 

[Tlncl -*] 

E h A'<:A E h B<:B' 
E h A-^B <: A'^B' 

[VCoer -»] 

E h b : A^B E h a : A' Eh A-*B <: A'->B' 
E h (c A _ >B>A ._ >B .(b))(a) c B B .(b(c A . A (a)) : B' 

2.9 Formal system 

In this section we summarize the formal systems for both Quest and Quest c . The rules 
of these systems are presented simultaneously as they largely coincide. 

Rules are named, for example, [TExt/ Quest] (Type Extension) extra. Here TExt is the proper name 
of the rule. The notation / Quest means that this rule applies only to Quest, while the 
notation / Quest c applies only to Quest c ; otherwise the rule applies to both systems. This 
rule is sometimes called Type Extension in the text. Finally, extra means that this rule is actually 
derivable or admissible and is listed for symmetry with other rules or for emphasis (for 
example, [KEqRefi] and [TEqRefi] are provable by simultaneous induction on the derivations). 

The rules grouped as "computation" rules may be oriented in order to provide 
reduction strategies. 

A recursive type (l(X)C is legal only if C is contractive in X, written ClX [MacQueen 
Plotkin Sethi 86]. A type C is contractive in a (free) type variable X if and only if C has one 
of the following six forms: a type variable different from X; Top; n(X'::K)C with 
X^free-variables(K) and C'lX; A^B; (X(X'::K)B)(A) with B{X'^A}lX; or (i(X)C' 
with C'lX(as well as C'lX). 

We are conservative about the contractiveness conditions on I1(X'::K)C, and these 
deserve further study. The condition X^free-variables(K) prevents constructions such as 
|l(X)n(Y<:X)X-*X, whose semantics is unclear. The condition C'lX agrees with one of 
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the semantics we give to n as a non-expansive intersection, although syntactically this 
restriction seems unnecessary. 



Judgments 



h E env 


E is an environment 


E h K kind 


K is a kind (in an environment E) 


E h A::K 


type A has kind K 


E h A type 


A is a type (abbr. for E h A:: T) 


Eha:A 


value a has type A 


E h K<::L 


kind K is a subkind of kind L 


E h A<:B 


type A is a subtype of type B (abbr. for E h A::!P(B)) 


EhK<::>L 


K and L are equivalent kinds 


Eh A<:>B::K 


A and B are equivalent types or operators of kind K 


E h A<:>B type 


A and B are equivalent types (abbr. for E h A<:>B::T) 


E h a^b:A 


a and b are equivalent values 



Environments 

[Env 0] [Env X] [Env x] 

EhKkind X^dom(E) Eh A type x^dom(E) 

h 0 env hE,X::Kenv hE,x:Aenv 

[Var X] [Var x] 

hE',X::K,E" env h E',x:A,E" env 

E,X::K,E" h X :: K E,x:A,E" h x : A 



Kind formation 

[KF 2>] [KF n] 

Eh A type EhKkind E, X::K h L kind 



E h (P(A) kind E h n(X::K)L kind 

Kind equivalence 

[KEq Refl] extra [KEq Symm] [KEq Trans] 

E h K kind EhK<::>L EhK<::>L EhL<::>M 

EhK<::>K EhL<::>K EhK<::>M 
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[KEq 2>] [KEq n] 

EhA<:>Atype EhK<::>K' E, X::K h L <::> L' 



E h !P(A) <::> 2>(A') E h n(X::K)L <::> n(X::K')L' 

[KExt] (Kind Extension) extra 

E h A::K E h K<::>L 



E h A :: L 



Kind inclusion 

[Klncl Refl] [Kind Trans] 

EhKoL EhKcL E h L <:: M 



EhKcL EhKcM 

[Klncl 2>] [Klncl n] 

EhA<:A EhKkind E, X::K h L <:: L' 



E h 'P(A) <:: T(A!) E h n(X::K)L <:: n(X::K)L' 

[KSub] (Kind Subsumption) 

E h A::K EhKcL 



E h A :: L 



Type and Operator formation 

[TF Top] [TF |l] 

hEenv E,X::T h A type AlX 

E h Top type E h (l(X)A type 

[TF n] [TF -»] 

EhKkind E, X::K h B type EhAtype E h B type 



Ehn(X::K)Btype E h A^B type 

[ti n] [te n] 

EhKkind E,X::KhB::L E h B::II(X::K)L E h A::K 

E h X(X::K)B :: n(X::K)L E h B(A) :: L{X^-A} 

Type and Operator equivalence 

[TEq Refl] extra [TEq Symm] [TEq Trans] 

E h A :: K EhA<:>B::K EhA<:>B::K EhB<:>C::K 



EhA<:>A::K EhB<:>A::K EhA<:>C::K 
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[TEq X] [TEq Top] 

EhX::K h E env 



EhX <:> X :: K E h Top <:> Top type 

[TEq II] [TEq -] 

EhK<::>K' E, X::K h B<:>B' type E h A<:>A' type E h B<:>B' type 



E h n(X::K)B <:> n(X::K')B' type E h A^B <:> A^B' type 

[TEq Abs] [TEq Appl] 

EhK<::>K' E, X::K h BoB' :: L E h B<:>B' :: n(X::K)L EhA<:>A::K 



E h X(X::K)B <:> X(X::K')B' :: n(X::K)L E h B(A) <:> B'(A') :: L{X^A} 

[TEq |i] [TEq Contract] 

E,X::ThB<:>B'type B,B'iX E h A<:>C{X<-A} type E h B<:>C{X<-B} type ClX 



E h (i(X)B <:> (l(X)B' type E h A <:> B type 

[TExt / Quest] (Type Extension) extra [TExt / Quest c ] (Type Extension) 

Eha:A E h A<:>B type E h a:A E h A<:>B type 



Eha:B Eha:B 

[Tn n ] 

E h B :: n(X::K)L X^dom(E) 
E h (X(X::K)B(X)) <:> B :: n(X::K)L 

Type and Operator computation 

[Tnp] 

E h (X(X::K)B)(A) :: L 

E h (X(X::K)B)(A) <:> B{X*-A} :: L 

[T u.] 

E,X::T h A type AlX 
E h |^(X)A <:> A{X^(X)A} type 

Type inclusion 

[Tlncl Refl] [Tlncl Trans] 

E h A <:> B type E h A <: B E h B <: C 



E h A <: B EhA<:C 

[Tlncl Top] [Tlncl n] [Tlncl -*] 

Eh A type EhK'<::K E, X::K' h B<:B' E h A<:A E h B<:B' 



EhA<:Top Ehn(X::K)B<:n(X::K')B EhA^BcA'^B' 
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[Tlncl )l] 

Eh^i(X)Atype E h [i(Y)B type E, Y::% X<:Y h A <: B 
E h |1<X)A <: |^(Y)B 

[TSub / Quest] (Subsumption) [TSub / Quest c ] (Coercion) 

E h a:A Eh A<:B E h a:A Eh A<:B 

E h a : B Eh c A B (a) : B 



Value formation 

[VI Top] 

h E env 
E h top : Top 

[vi n] 

EhKkind E,X::Khb:B 
EhX(X::K)b : n(X::K)B 

E h A type E, x:A h b:B 
E h X(x:A)b : A^B 

[VI c / Quest c ] 

E h A <: B Eha:A 
E h c A3 (a) : B 

[VI u] 

E h A type E, x:A h b:A 
E h (i(x:A)b : A 



[ve n] 

Ehb:n(X::K)B E h A::K 
Ehb(A) :B{X^A} 

[VE-*] 

E h b:A-»B Eha:A 
E h b(a) : B 



Value equivalence 

[VEq Refl] extra [VEq Symm] [VEq Trans] 

Eha:A Eha^b:A Eha^b:A Ehb^c: A 



Eha^a: A Ehb^a:A Eha^c:A 

[VEqSub / Quest] (Subsumption Eq) [VEqSub / Quest c ] (Coercion Eq) 

Eha^a':A E h A<:B E h a^a':A E h A<:B E h A<:>A' type EhB<:>B'type 

E h a^a' : B Eh CA,B( a )** c A',B'( a ') : B 

[VEq x] [VEq top] [VEqTop] (Top Collapse) 

E h x:A h E env Eha^a: Top E h b ** b : Top 

Ehx^x:A Eh top ** top : Top Eha^b: Top 
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[VEq TAbs] [VEq TAppl] 

EhK<::>K' E,X::Khb^b':B E h b*-*b' :: n(X::K)B EhA<:>A::K 



E h X(X::K)b ^ X(X::K')b' : n(X::K)B E h b(A) ^ b'(A') : B{X^A} 

[VEq Abs] [VEq Appl] 

E h A<:>A type E,x:Ahb^b':B Eh b^b' : A^B E h a^a' : A 



E h X(x:A)b ^ X(x:A)b' : A^B E h b(a) ^ b'(a') : B 

[VEq |1] 

E h A<:>A' type E,x:Ahb^b':A 



E h (i(x:A)b ^ (^(x:A)b' : A 



[llT|/Quest c ] [^r|/Quest c ] 

E h b : n(X::K)B X^dom(E) E h b : A^B x^dom(E) 



E h (X(X::K)b(X)) ^ b : II(X::K)B E h (X(x:A)b(x)) ^ b : A-^B 

Value coercion 

[VCoer Id / Quest c ] [VCoer Comp / Quest c ] 

Eha:A E h a:A E h A<:B E h B<:C 



E h c A?A (a) ^ a : A Eh c BC (c A3 (a)) ** c AC (a) : C 



[VCoer Top / Quest c ] extra 

Eha: A 



E h c A,Top( a ) ** to P : To P 

[VCoer n / Quest c ] 

Ehb:n(X::K)B E h A : K' E h n(X::K)B <: II(X::K')B' 
E h (Cn(X::K)B,n(X::K')B<b))(A) ^ C B{X -A},B'{X-A}(b(A)) : B'{X^A} 

[VCoer — I Queste] 

E h b : A^B E h a : A Eh A-*B <: A'^B' 
E h (c A ^ B?A ^ B <b))(a) ^ c B3 <b(c A?A (a)) : B' 

[VCoer (i / Quests 

Eha: |i(X)A E h A : K' Eh [i(X)A <: |i(Y)B 

E !" c n(X)A,n(Y)B( a ) c A{X^(X)A},B{Y^l(Y)}( a ) : M-(Y)B 

Value computation 

[n p] [- p] 

E h (X(X::K)b)(A) : B Eh (X(x:A)b)(a) : B 



E h (X(X::K)b)(A) ♦* b{X^A} : B Eh (X(x:A)b)(a) b{x^a} : B 
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E h n(x:A)b : A 



E h (i(xA)b ^ b{x^u(x:A)b} : A 

2.10 Records and other encodings 

Record types are one of the main motivations for studying type systems with 
subtyping [Cardelli 88]. However, in this paper we do not need to model them directly (as 
already done in [Bruce Longo 89]), since they can be syntactically encoded to a great extent. 

More precisely, we show how to encode the record calculus of [Cardelli Wegner 85], 
although we do not know yet how to encode the more powerful calculi of [Wand 89] and 
[Cardelli Mitchell 89]. Moreover, we show how to encode the functional update problem 
discussed in [Cardelli Mitchell 89]; this problem cannot be represented in the calculus of 
[Cardelli Wegner 85] . 

In this section we discuss these encodings, and then we feel free to ignore records in 
the rest of the paper. 

We start by encoding product types, in the usual way: 



AxB = n(C)(A^B^C)^C 

pair : 11(A) 11(B) A-*B-*AxB 

= X(A) X(B) X(a:A) X(b:B) X(C) X(f:A^B^C) f(a)(b) 

fst : n(A) n(B) AxB-* A 

= X(A) X(B) X(c:AxB) c(A)(X(x:A)X(y:B)x) 

snd : n(A) 11(B) AxB-*B 

= X(A) X(B) X(c:AxB) c(B)(X(x:A)X(y:B)y) 



We often use a more compact notation: 



a,b 

fst(c) 

snd(c) 



= a, AxB b 
= fst AxB(c) 
= snd AxB( c ) 



= pair(A)(B)(a)(b) 
= fst(A)(B)(c) 
= snd(A)(B)(c) 



The expected rules for products are now derivable: 



E h A <: A E h B <: B 



E h AxB <: A'xB 
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EhP<:AxB Ehp:P 
E I- fst AX B(P) : A 



E h P <: AxB E h p:P 
E h snd AxB (p) : B 



As a first step toward records, we define extensible tuple types as iterated products 
ending with Top, and extensible tuple values as iterated pairs ending with top. A similar 
encoding appears in [Fairbairn 89]. 



E h ai : Aj ... E h a n : A n 
E h tuple(a lv ..,a n ) : Tuple(A lv ..,A n ) 

E h Aj <: Bj ... E h A n <: B n ... E h A m type 
E h Tuple(A 1 ,...,A n ,-..,A m ) <: TupleCB^.^BJ 

For example: Tuple(A, B) <: Tuple(A) since A <: A, BxTop <: Top, and x is monotonic. 

We now need to define tuple selectors (corresponding to product projections). This 
would be a family selj n of terms selecting the i-th components of a tuple of length n. In 
fact, by using subtyping it is sufficient to define a family selj of terms for extracting the i- 
th component of any tuple of sufficient length: 

seli : n(A : ) A^Top^Ai 

= MA : ) Mt^xTop) fst Al xTop(t) 

sel 2 : n(A 2 ) TopxA 2 xTop^A 2 
= X(A 2 ) X(t:TopxA 2 xTop) 



Tuple(A 1 ,...,A n ) = A 1 x(...x(A n xTop)..) 



tupleCa!,...^) 



= a 1 ,(...,(a n , top)..) 



Hence: 



fstAjXTopCsndTopxAjXTopCt)) 



etc. 
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We can also define tuple updators, that is, terms that replace the i-th component of a 
tuple with a given value. The crucial point here is that these updators do not forget 
information about the type of the components that are not affected by the update. To 
achieve this effect, we must use knowledge of the encoding of tuples as pairs. Again, we 
can define a family updj instead of a family updj n . 

upd : : r^Bj) Il(B t i) n(Aj) BjXBq-^Aj-^AjXB,-! 
= XCBjUCBflUCAj) 

XfrBjXBfl) A-CajiAj) a^^ snd BiXBd (t) 

upd 2 : n(Bj) n(B 2 ) n(B tl ) n(A 2 ) B 1 xB 2 xB tl -A 2 -B 1 xA 2 xB tl 
= X(B l )X(B 2 )X(B tl )X(A 2 ) 

X(t:B 1 xB 2 xB tl ) X(a 2 :A 2 ) fst(t),(a 2 , snd(snd(t))) 

etc. 

These definitions solve the functional update problem [Cardelli Mitchell 89] for tuples. 
This problem can be explained by the following example, where we update a field of a 
tuple in such a way that the updating function works equally well on subtypes of the 
stated tuple type. 

We have a type of geometric points defined as Point = Tuple(IntJnt), where the 
integers represent respectively the x and y components. Since these are tuples, a point can 
have additional components, for example a color; then it is a member of ColorPoint = 
Tuple(Int,Int,Color). We further assume that the subrange type 0..9 is a subtype of Int. 

The problem consists in defining a function moveX that increments the x component 
of a point, returning another Point. Moreover, when applied to a ColorPoint (with 
adequate type parameters) this function should return a ColorPoint, and not just a Point. 

One might think that moveX has type n(A<:Point) A-»A. This is not the case; we 
show that the parameter type A must change appropriately from input to output. 

Point = Tuple(IntJnt) 

moveX : II(B 1 <:Int) n(B ti <:Tuple(Int)) BxXBfl-frlntxBfl 
= X(B ^ilnt) X(B tl <:Tuple(Int)) X(p:B jXB tl ) 
upd 1 (B 1 )(B tl )(Int)(p)(sel 1 (Int)(p)+l) 

Obviously, we have: 

p : Point = tuple(9,0) 
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moveX(Int)(Tuple(Int))(p) = tuple(lO.O) : Point 



However, note that in the following example the result does not, and must not, have type 
Tuple(0..9,Int): 

p : Tuple(0..9,Int) <: Point = tuple(9,0) 
moveX(0..9)(Tuple(Int))(p) = tuple(10,0) : Point 

We can also verify that color is preserved: 

p : Tuple(0..9,Int,Color) <: ColorPoint = tuple(9,0,red) 
moveX(0..9)(Tuple(Int,Color))(p) = tuple(10,0,red) : ColorPoint 

Hence, we obtain a moveX function with the desired properties, but only by taking 
advantage of the encoding of tuples as products. Note that in the input type of moveX, 
Point is split into Int and Tuple(Int). 

Now we turn to the encoding of records Rcd(l 1 :A 1 , ... ,l n :A n ); these are unordered 
product types with components indexed by distinct labels lj. 

We fix a standard enumeration of labels C 1 , C 2 , ... . Then a record type is the shortest 
tuple type where the type component of label ( l is found in the tuple slot of index i, for 
each i. The remaining slots are filled with Top. For example: 

Rcd(r 3 :C, CkA) = Tuple(A, Top, C) 

Under this encoding, record types that differ only on the order of components are 
equivalent, and we have the familiar: 

E h A 1 <: B 1 ... E h A n <: B n ... E h A m type 
E h Rcd(l 1 :A 1 ,...,l n :A n ,...,l m :A m ) <: Rcdai:Bi,...,l n :B n ) 

Record values are similarly encoded, for example: 

rcd(/" 3 =c, Z" J =a) = tuple(a, top, c) 

E h &i : Aj ... E h a n : A n 
E h rcd(li=ai,...,l n =a n ) : Rcd(l 1 :A 1 ,...,l 11 :A n ) 
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E h r.lj : Aj 



E h r : Rcd(l 1 :A 1 ,...,l i :A i ,...,l 1 :A n ) E h b:B 
E h r.li-b : Rcdai:A 1 ,...,l i :B,...,l n :A n ) 



Here record selection r.lj is defined via selj(r), and record update r.lj*— b is defined via 
updi(r)(b). 



Note that it is not possible to write a version of moveX for records solely by using the 
derived operators above. The functional update problem can be solved only by using 
knowledge of the encodings, as was done for tuples. In this respect (an encoding of) a 
calculus like the one in [Cardelli Mitchell 89] is still to be preferred, since it can express the 
moveX functions independently of encodings. 

Under the encodings above, more programs are typable than we would normally 
desire; this is to be expected of any encoding strategy. The important point here is that the 
familiar typing and computation rules are sound. 



The rest of the paper describes the mathematical meaning of the Quest system 
described in the previous section. The goal here is to guarantee the (relative) consistency 
of Quest's type and equational theories. The model though is also meant to suggest 
consistent extensions. This is one of the reasons for which we construct a specific (class 
of) model(s), instead of suggesting general definitions. These may be obtained by slight 
modifications of the work in [Bruce Longo 88] , or, even better, by following the categorical 
approach in [Asperti Longo 91]. Indeed, in the latter case, the invention of a general 
categorical meaning for subtyping and subkinds would be a relevant contribution. 

In this part, we first try to give the structural (and partly informal) meaning of kinds, 
types, and terms, as well as their crucial properties. The reader will find the properties 
formally described in part 2 reflected over sets and functions, and should grasp the 
essence of the translation. Part 4 develops further the details of the interpretation of 
Quest c that the experienced reader could give by himself, at that point. Part 5 describes 
Quest with the subsumption rule, instead of with coercions. 

Because of the presence of type operators, the structure of kinds is at least as rich as 
the type-structure of typed X-calculus. Thus, kinds need to be interpreted as objects of a 
Cartesian Closed Category, CCC. The category we will be using is (O-Set below. Its 
objects must, of course, include the kind of types, which in turn must be structured as a 



3. PER and co-Set 



CCC. 
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In a sense, we need a. frame (or global) category, inside which we may view the 
category of types as an object. More precisely, we need a frame category and an internal 
category, but we will not go into this here, except in remark 3.1.5. The general approach 
by internal categories was suggested by Moggi and has been developed by several 
authors; see 3.1.5 for references. 

The specific structures used here, that is co-Set and PER below, are described in 
[Longo Moggi 88], where their main categorical properties are also given. The approach in 
[Longo Moggi 88] is elementary: indeed, these categories may be seen as subcategories of 
Hyland's Effective Topos (see [Hyland 82 and 87] for the topos theoretic approach). The 
idea of interpreting subtypes as subrelations is borrowed from [Bruce Longo 89], where the 
semantics of Quest's progenitor system, Bounded Fun (with coercions), was first given. 

3.1 Semantics of kinds and types 

The key idea in the underlying mathematical construction is to use a set-theoretic 
approach where the addition of some effectiveness prevents the difficulties discussed in 
[Reynolds 84]. In this regard, the blend of set-theoretic intuition and elementary 
computability provides a simple but robust guideline for the interpretation of 
programming constructs. 

The construction is based on Kleene's applicative structure (CO, ■), where CO is the set 
of natural numbers, together with a standard godelization cp n of the computable functions 
in co-*co, and where • is the operator such that n-m = (p n (m). However, the same 
mathematical construction works for any (possibly partial) combinatory algebra, in 
particular on any model of type-free X-calculus. We prefer, in this part, Kleene's (CO, •) in 
view of everybody's familiarity with elementary recursion theory. In part 5, though, we 
will base our construction on models of the type-free X-calculus. 

Definition 3.1.1 

The category co-Set has: 
objects: (A, lh A > e co-Set iff 

A is a set and lh A cz coxA is a relation, such that Vae A. 3n. n lh A a 
morphisms: f e co-Set[A,B] iff 

f: A -*- B and 3n. n H- A _ B f, 

where n lh A ^, B f <=> Vae A. Vp. p lh A a => n-p lh B f(a) □ 

Thus, each morphism in co-Set is "computable" in the sense that it is described by a 
partial recursive function that is total on {p I p lh A a}, for each ae A. If p lh a (we may 
omit the subscripts), we say that p realizes a (or p computes a). 
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We next define the category of types. When A is a symmetric and transitive relation 
on co, we set: 

n A m iff n is related to m by A, 
dom(A) = {n I n A n}, 

r n n A = {m I m A n} the equivalence class of n with respect to A, 
Q(A) = { n^ I n e dom(A) } the quotient set of A. 

Definition 3.1.2 

The category PER (of Partial Equivalence Relations) has 
objects: Ae PER iff 

A is a symmetric and transitive relation on CO, 
morphisms: fePER[A,B] iff 

f: Q(A) - Q(B) and 3n. Vp. (pAp => f(p \) = n-pg) □ 

PER is a category where the identity map, in each type, is computed by (at least) any 
index of the identity function on CO. 

The category PER can be fully and faithfully embedded into co-Set. In fact, for every 
partial equivalence relation (p.e.r.) A, define the co-set In(A) = (Q(A), e A ), where Q(A) 
are the equivalence classes of A as subsets of CO, and e A is the usual membership relation 
restricted to coxQ(A). Clearly, e A defines a realizability relation in the sense of 3.1.1 and 
the functor In is full and faithful. Note that e A is a single-valued relation, as equivalence 
classes are disjoint subsets of CO. 

The following simple fact may help in identifying which are the maps in PER, by 
viewing them also as morphisms in co-Set. (The reader should practice going from one 
category to the other; the next proposition is just an exercise with this purpose.) 

Proposition 3.1.3 

Letf e PER[A,C], then 

p lh A _ c f (in co-Set) o Vr. (r A r >r c = f(r A )) 

Proof 

p lh A ^ c f o Vae Q(A). Vr lh A a. p-r lh c f(a) 

<=> Vr. rAr => p-re f( r r A ), 
since lh coincides with e (with respect to an equivalence class). 
Hence we must show: 

Vr. (rAr => p-re f( r r A )) o Vr. (r A r p-f c = f(r A )). 
Case <=) Obvious, since p-r e pj-r'c 
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Case =>) Suppose p-r c ■£ f( r r A ), then r p-f c n f( r r A ) = 0 since Q(C) is a quotient, but 
p-r e r p-r c , and by hypothesis p-r e ffr A ). Contradiction. □ 

What is relevant for us, though, is that PER may be viewed also as an object of C0- 
Set; this interprets the fact that T is a kind. The point is that the objects of PER form a set 
and every set may be viewed as an co-set: 

Definition 3.1.4 

Let A: Set -» co-Set be given by A(S) = <S, lh s >, where lh s = coxS, that is, Vn Vs nlh s s 
(the full relation). The function A is extended to a functor by setting A(f) = f, the identity 
on morphism. □ 

In particular, set M 0 = A(PER) e co-Set, the co-set of types. 

Remark 3.1.5 (For readers with some experience in Category Theory.) 

CO-Set was equivalently defined in [Hyland 82] as the " — separated objects" in his 
Effective Topos, Eff. The category co-Set has all finite limits and is a locally CCC (see 
below for the cartesian closure). The embedding A above preserves exponents and limits. 
Moreover, one may embed co-Set into Eff by a functor which preserves limits and the 
1CCC structure. 

By this, the present approach applies in a simple set-theoretic framework the results in 
[Hyland 87], [Pitts 87], [Hyland Pitts 87], [Carboni Freyd Scedrov 87], and [Bainbridge Freyd Scedrov 
Scott 87]. The general treatment of models, as internal categories of categories with finite 
limits, which was suggested by Moggi, is given in [Asperti Martini 89] and [Asperti Longo 90]. 
The elegant presentation in [Meseguer 88] compares various approaches. We use here the 
fact that co-Set is closed under products indexed over itself and, in particular, we use the 
completeness of PER as an internal category. The categorical products are exactly those 
naively defined below (to within isomorphism). Both the explicit definition of PER as an 
internal category and the required (internal) adjunctions are given in detail in [Longo Moggi 
88], which is written also for non category-theorists. (See also [Asperti Longo 90].) □ 

The reason for the next definitions is that we need to be able to give meaning, over 
these structures, to kinds and types constructed as products, as expressed in rules [kf n] 
and [tf n] in section 2.9. We take care of this point first, since it deals with the crucial 
aspect of impredicativity in Quest. A first idea is to try to understand those rather 
complex kinds and types as indexed products, in the naive sense of set theory. Namely, 
given a set A and a function G: A -> Set, define as usual: 

X ae A G(a) = {f I f: A - Uae A G(a) and f(a) e G(a)}. 
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This product wouldn't work, but the following simple restriction to realizable maps f, will 
work. 

Definition 3.1.6 

Let <A, lh A > g co-Set and G: A -> co-Set. Define the co-set <n ae A G(a), ll- nG > by 

1) f e n aeA G(a) iff feX aeA G(a) and 3n. Vae A. Vp lh A a. n-p lh G(a) f(a), 

2) nlh nG f iff VaeA. Vp lh A a. n-p lh G(a) f(a) □ 

When the range of G is restricted to PER we obtain a product in PER: 
Definition 3.1.7 

Let (A, lh A > s co-Set and G: A -* PER. Let n ae A G(a) PER e PER be defined by 
n (n a e AG(a)pER) m iff Vae A. Vp,q lh A a. n-p G(a) m-q □ 

A crucial property of co-Set is that the products defined in 3.1.6 and 3.1.7 are 
isomorphic for G: A -*■ PER. 

Theorem 3.1.8 ([Bruce Longo 89]) 

Let (A, lh A > g co-Set and G: A -» PER. Then 

<n aeA In(G(a)), lh nG > = In(n aeA G(a) PER ) in co-Set. 

Proof 

Let \\~yiq be defined as in 3.1.6. We first prove that \\~yiq is a single-valued relation. 
Assume that n \\~hq f a n \\-jjq h. We show that Vae A. f(a) = h(a) and thus, that f = h. By 
definition VaeA. Vp lh A a. n-p ll~ G ( a ) f(a) a n-p ll~ G ( a ) h(a), and thus f(a) = h(a) since, for 
all a, the relation ll- G ( a ) is single valued (and any a in A is realized by some natural 
number). 

The isomorphism is given by J(f) = {n I n lh nG f}; thus the range of J is a collection 
of disjoint sets in CO (equivalence classes). The isomorphism J and its inverse are realized 
by the (indices for the) identity function. □ 

The existence in PER of "products" indexed over arbitrary CO- sets is a very relevant fact. 
The point is to show that these object are real products, in a precise categorical sense; this 
is hinted in remark 3.15. What we can do here, in our elementary approach, is to use the 
idea in definition 3.1.7, in order to construct exponents as particular cases of products. 

Corollary 3.1.9 

co-Set and PER are CCC's. Moreover, the embedding In: PER -* co-Set is full, 
faithful and preserves the structure of CCC. 
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Proof 

Observe that if G: A -> co-Set is a constant function, G(a) = (B, lh B > for all ae A, say, 
then (n ae A G(a), H- nG > = (B A , II-a-»b) 1S me exponent representing co-Set[A,B] in co-Set. 
Clearly, in that case, n II-a-»b f iff Vae A. Vp II~a a. n-p Ihg f(a). Products are defined by 
using any bijective pairing functions from coxco to CO. Any singleton set S gives a terminal 
object A(S). Eval and the currying operation A are defined as in Set and are realized by 
(the indexes of) the universal function and the function s of the s-m-n theorem. (The 
reader may check this as an exercise or see [Asperti Longo 90] for details.) 

The same argument applies to PER by taking, for Ae PER, G: A -> PER constant in 
3.1.8. (Just recall that PER may be viewed as the co-set M 0 = A(PER) and set (A, lh A > = 
M 0 .) Or also, by embedding PER in co-Set by In, the corresponding co-sets give 
exponents, products, and terminal objects (up to isomorphisms), as In trivially satisfies 
the properties stated. □ 

To clarify the construction, let's look more closely to exponent objects in PER. Take 
say A— *B, that is, the representative of PER[A,B]. Then by definition each map 
fePER[A,B] is uniquely associated with the equivalence class of its realizers, p a-»b e 
A-»B, say, in the sense of 3.1.3. 

It should be clear that the notion of realizer, or "type-free computation" computing the 
typed function, is made possible by the underlying type-free universe, (CO,-)- As we will 
discuss later, this gives mathematical meaning to the intended type-free computations of a 
typed program after compilation. As for now, this feature of the realizability model 
suggests a distinction between isomorphism in our categories, which does not need to 
make sense in other frames (and is relevant for the intuition on which our mathematical 
understanding is based): 

Definition 3.1.10 

An isomorphism f: A = B in co-Set is identical (or is an identical isomorphism) if both 
f and its inverse f" 1 are realized by the indices of the identity function. □ 

It is easy to rephrase this notion for objects in PER. Note though that A = B in PER 
via an identical isomorphism iff A = B (that is, A and B are equal). 

In co-Set, though, the isomorphism in 3.1.8 is identical (but it is not an identity). 

Proposition 3.1.11 

In: PER -*■ co-Set preserves products and exponents to within identical isomorphism. 
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Proof 

Exercise. (The category oriented reader may check these preservation properties also 
for equalizers, limits... and observe that they are generally not on the nose.) □ 

In summary, our types may be essentially viewed as kinds, by a very natural (and 
strong) embedding. We applied this embedding in theorem 3.1.8, and gave there a unified 
understanding of various products and arrows in the syntax. However, theorem 3.1.8 
really leads to much more than the cartesian closure of PER, which is shown in corollary 
3.1.9. In plain terms, 3.1.8 is the crucial step towards the meaning of the second-order 
(polymorphic) types, namely of the types obtained by indexing a collection of types over 
a kind, possibly over the collection of all types (an impredicative construction). 

3.2 Inclusion and power kinds 

The purpose of this section is to set the basis for the semantics of the subkind and 
subtype relations in Quest. 

Definition 3.2.1 (subkinds) 

Let (A, lh A >, (B, lh B > e co-Set. Define: 

(A, lh A )<(B, Ihe) iff AcB and VaeA.Vn. (nlh A a n lh B a) □ 

The idea in this definition is that kinds may be related by the < relation in co-Set only 
when they are actually subsets and when the realizability relation is defined in accordance 
with this. Thus there is no need of coercions (equivalently, coercions are just identity 
functions). Hence, the subsumption rule [KSub] for kinds is realized. Subtyping will be 
interpreted in PER in a more subtle way, which allows a closer look at the computational 
properties of the types of programs. 

Definition 3.2.2 (subtypes) 
Let A, B e PER. Define: 

A < B iff Vn,m. (n A m => n B m) □ 

Both < relations in co-Set and PER are reflexive and transitive. They are even 
antisymmetric, because for (A, lh A ), (B, lh B ) e co-Set we have (A, lh A ) = (B, lh B ) <=> 
(A, lh A > < (B, lh B > a (B, lh B > < (A, lh A >. Similarly, for C,DePER we have C = D <=> 
C<D aD<C. 

The semantic notion of subtype we are using here is the one defined in [Bruce Longo 
89]. However, we differ from that approach for subkinds, in order to model the strong 
relation we formalized in the syntax of Quest. 
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Clearly "<" is a partial order which turns the objects of PER into an algebraic 
complete lattice. When A and B are in PER and A < B, then there is a coercer c A B from 
A to B. It is defined by the map c A g: Q(A) -* Q(B) such that c A bO^A.) = n B' which is 
computed by any index of the identity function. By definition, c A g is uniquely 
determined by A and B. (We may omit the subscripts, if there is no ambiguity.) 

Intuitively, given n such that nAn, the coercion c A g takes its A-equivalence class, 
r n^, to its (possibly larger) B-equivalence class, r ng. This is why c^^b, the coercion 
morphism, is computed by all the indices of the identity function. Note that in general 
r n\ is smaller than r ng; they coincide just when Q(A) e Q(B), a special case of A < B. 
Note also that for A,Be PER, if In(A) < In(B) regarded as 0)-sets, then A < B. The 
reverse implication holds only when Q(A) c Q(B). The result is that, here, < is used 
with a slightly different meaning in the two categories, in contrast to the approach in 
[Bruce Longo 89]. The advantage is given by the construction of a model of the current rich 
kind and type theory. 

The power operation is expressed in terms of quasi-functors, a weak notion of 
categorical transformation between categories, widely used in several settings. (See 
[Martini 88] for recent applications to the semantics of the X-calculus.) This interpretation 
is due to the blend of set-theoretical and categorical intuition at the base of the current 
model of subtyping in a higher-order language. Quasi-functors take morphisms to sets of 
morphisms which behave consistently with respect to application (see below), and are 
such that the image of each identity map contains the identity in the target category. 

Definition 3.2.3 

The power quasi-functor T : PER -» co-Set is given by: 
on objects: Th = ({Be PER I B < A}, Ih), where VB < A Vn n Ih B; 
on morphisms: for f: A-*C and p Ih f, define fP p (f): pointwise by 

mfPp(f)(B)n iff 3m',n'. m'Bn' and m = p-m' and n = p-n' 
Set then 2»(f) = {<P p (f) I p Ih f }. □ 

For each f: A^C and p Ih f, one has fP p (f) e co-Set [TA,TC\ since co-Set[!PA,!PC] = 
Set[!PA,!PC] in view of the full realizability relation given to the CO-set !PC. (More 
generally, each set-theoretic function which has as its target an object in the range of A: 
Set -* co-Set is realizable by all indices.) 

It is also easy to observe that !P(f°g) cz T(f)oT(g) and id e !P(id) for f, g, and id in the 
due types. This proves that T is a quasi-functor. 
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We claim that the interpretation of subtyping we are using, faithfully corresponds to 
the intuitive semantics of subtyping (or is "compelling", as suggested in [Mitchell 88] with 
reference to [Bruce Longo 89]). 

Note first that the coercion b m general is not a mono (or injective map) in PER. It 
happens to be so only when Q(A) cz Q(B), that is, when one also has In(A) < In(B), as co- 
sets. Indeed, the topos theoretic notion of subobject as mono from A to B, given by Q(A) 
cz Q(B), would not be able to give us the antimonotonicity of in the first argument, 
and thus the simple but important theorems 3.4.1 and 3.4.2. 

Moreover, in categories (and toposes) one usually works "to within isomorphisms", 
while the programming understanding of subtypes and inheritance is surely not "to within 
isomorphism". At most, the programming understanding is "to within identical 
isomorphisms", as a general isomorphism may be a very complicated program and is not 
likely to be computationally irrelevant. 

In conclusion, we want a mathematical semantics which reflects the intuition of the 
programmer, who views a subtype almost as a subset, but not exactly, as some coercion 
may be allowed. Our model suggests what sort of coercions may be generally natural: 
they must be computed by the type-free identical maps and preserved by identical 
isomorphisms. 

This interpretation explains why coercions may disappear in the description of the 
programming language and why they do not show up at compile time, even though they 
do not need to be exactly the identity. In our understanding, the compilation of a typed 
program into its type-free version corresponds to the passage from a morphism in the 
category of types or kinds, PER or co-Set, to its type-free realizers. Type coercions, in 
particular, are realized by identical computations. 

Because of this interplay between sets, computations, and categories, the present 
approach to subtypes is halfway between the set-theoretic notion of subset and the 
category (or topos) theoretic subobjects. We claim that this is a suitable mathematical 
understanding of the programmer's attitude. 

We interpret now the formal equivalence of kinds and types as the equality in the 
model. It is then easy to prove that the relations < in 3.2.1-3.2.2, and the quasi-functor fP 
in 3.2.3, satisfy the applicable properties listed under "Kind inclusion" and "Type 
inclusion", in section 2.9. We are then left with justifying subsumption and coercion, 
described in section 2.5. We have already discussed the meaning of coercions; these ideas 
will lead to the formal interpretation of Quest c in part 4. Subsumption and Quest will be 
dealt with in part 5. As already mentioned, recursive types and functions are not 
considered. 
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3.3 Operator kinds 

The formation, introduction, and elimination rules for operators (pari], [Tin], and [te 
m) are easily taken care of. Definition 3.1.6 tells us that we can form a kind, the co-set 
(n ae ^G(a), II— qq), out of any kind (co-set) (A, lh> and any function G: A -*■ co-Set [kf n]. 
By definition, the elements of (n aeA G(a), \\~uq) are the (computable) functions f such 
that, when fed with ae A give as output elements f(a) of G(a). This is exactly what rules 
[ti n] and [te n] formalize. 

Rule [T n p] is understood in the model by the behavior of a X-term as a function. 
Indeed, [tiiti] stresses that in any model, functions are interpreted extensionally. 

3.4 The kind of types 

The lattice PER has CO = (CO, coxco) as largest element, that is, CO with the full relation. 
Clearly, CO contains just one equivalence class, CO. Thus CO gives meaning to Top, and CO to 
top. Moreover, the CO-set of all p.e.r.'s is given by M 0 = !P(co). 

Rule [tf n] here is given meaning by definition 3.1.7. The interpretation is apparently 
very simple, but there is a crucial asymmetry with respect to [kf rrj. Rule [kf n] has the 
structure: 

kind kind 
kind 

Rule [tf m, instead, looks like: 
kind type 

type 

In particular, the kind on the left may be % the kind of types. 

This schema is the crucial type construction in explicit polymorphism. It is 
impredicative in that, in order to know what types are, one must already know their entire 
collection, T. ([Feferman 87, 88] and [Longo 88] provide further discussions.) This peculiar 
type construction is reflected in the related rules. 

In [vi n] one allows the formation of terms where abstraction is not done with respect 
to variables ranging over a type, as in the first-order case. Instead, they range over a kind 
(possibly % again). By this, it makes sense by rule [ve itj to apply a term to an element of 
a kind (possibly a type, and even the type of that very term). This is the dimensional clash 
which is hard to justify mathematically, and is a central difficulty in the semantics of 
polymorphism. 

Theorem 3.1.8 relates [kf n] and [tf n] by telling us that they are interpreted by the 
same construction, in the universe of CO-sets. This gives mathematical unity and clarity of 
meaning. In particular, it says that the interpretations of terms constructed by [vi n] are 
going to be computable functions which may be fed with elements of an CO- set and which 
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then output a term of the expected type, as required by [ve n] and as modeled in the 
structure by definition 3.1.6. 

Rule [Tinci n] is validated by the following theorem. 

Theorem 3.4.1 

Let (A, lh A >, (A', lh A -> e co-Set and G: A ^ PER, G': A' PER. Assume A<A in 
co-Set and that Va'e A', G(a') < G'(a'), in PER. Then: 
n ae A G(a) < n a , e A G(a'), in PER. 

Proof 

Recall that n (n ae A G(a)pgR) m iff Vae A. Vp,q lh A a. n-p G(a) m-q . Then 
Vae A'. Vp,q lh A ' a. n-p G(a) m-q. Since n-p G(a) m-q implies n-p G'(a) m-q, we are 
done. □ 

With reference to the discussion on rules [kf n] and [tf n] above, a type formation rule 
for products with the structure: 
type type 
type 

would be a first-order rule and may be soundly interpreted over PER [Ehrhard 88]. 
Quest( c ) has nothing of this structure for products, as it complicates typechecking and 
compilation. An implicit use of it is the formal description and the semantics of records 
given in [Bruce Longo 89]. In the current paper we could avoid any reference to first-order 
constructs by coding record types in the second-order language (section 2.10). More on 
their interpretation will be given in section 3.5. 

As for ordinary higher type functions, the interpretation of their rules, by corollary 
3.1.9, is given as a special case of the meaning of the rules above, except for [Tinci -»], 
since in this specific model types happen to be kinds (by the embedding In). The arrow 
types are just degenerated products (that is, products defined by a constant function, as in 
3.1.9). 

As an exercise, let's see what happens to the exponents in PER and their elements 
(the equivalence classes). This may be done by a little theorem, which proves the validity 
of rule [Tinci-*] in section 2.8. 

Proposition 3.4.2 

Let A, A,B, B'ePER be such that A' < A and B < B'. Then A^B < A'^B'. In 
particular, for n (A-*B) n, n n A ^. B c r n n A >_».B> 
Proof 

n (A-*B) m <=> Vp,q. (p A q => n-p B m-q ) 
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=> Vp,q. (p A' q => n-p B' m-q ), 

aspA'q => pAq => n-p B m-q => n-p B' m-q 
<=> n(A'-»B')m 
The rest is obvious. □ 

Proposition 3.4.2 gives the antimonotonicity of -» in its first argument, as formalized 
in the rules of Quest [Tinci -»], and required by inheritance. Moreover, and more related to 
the specific nature of this interpretation of proposition 3.4.2 reveals a nice interplay 
between the extensional meaning of programs and the intensional nature of the 
underlying structure. 

Indeed, typed programs are interpreted as extensional functions in their types, as we 
identify each morphism in PER with the equivalence class of its realizers. That is, if n 
Ih^^B f, then r n n A-»B e A-*B represents fePER[A,B] in the exponent object A-»B. 
Assume for example that M: A-*B is interpreted by fePER[A,B]. (For the moment we 
will call A both a type and that type's interpretation as a p.e.r.; see part 4 where the 
interpretation of terms and types is given.) In the assumption of the proposition, 
fePER[A,B] and c(f)ePER[A',B'] are distinct elements, and live in different function 
spaces. The element c(f) is uniquely obtained by the coercion c, which gives meaning to 
adjusting the types in M in order to obtain a program in A' -* B'. Also, when viewed as 
equivalence classes of realizers, f and c(f) are different sets of numbers. 

However, the intended meaning of inheritance is that one should be able to run any 
program in A-*B on terms of type A' also, as A' is included in A. When n II-a-»b £ this is 
exactly what r n\-»g £ n A'-»B' expresses: any computation which realizes f in the 
underlying type-free universe actually computes c(f) also. Of course, there may be more 
programs for c(f), in particular if A' is strictly smaller than A. Thus, even though f and 
c(f) are distinct maps (at least because they have different types) and interpret different 
programs, their type-free computations are related by a meaningful inclusion, namely 

r n n A-»B £ n A'-»B' m m is model. 

This elegant interplay between the extensional collapse, which is the key step in the 
hereditary construction of the types as partial equivalence relations, and the intensional 
nature of computations is a fundamental feature of the realizability models. 

3.5 Records 

Formally, there is nothing to be said about the semantics of records, as they are a 
derived notion. However, we mention one crucial merit of the coding proposed and its 
meaning. 

Record types should not be understood simply as cartesian products. The main reason 
is that the meaning of a record type R' with more fields than a record type R (but where 
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all the fields in R are in R') should be smaller than the meaning of R. Indeed, R contains 
fewer record relizers. This situation was obtained, say, in the PER interpretation of [Bruce 
Longo 89] by understanding record types as indexed, first-order products. That is, if I is a 
(finite) set of (semantic) labels, then rij e jAj would interpret a record whose fields are 
interpreted by the Aj 's. By theorem 3.4.1, n ieI Aj gives the required contravariance in the 
meaning of records. 

In the present approach, we can use the expressive power of Quest as a higher-order 
language with a Top type, and model records with little effort. Record types are coded as 
ordered tuples. Top is the last factor of the product and replaces missing fields (with 
respect to the order), and by doing so it guarantees contravariance. This intuition is 
precisely reflected in the model, by interpreting Top as the largest p.e.r.. Thus, any 
extension of a given record type by informative fields, that is, by fields whose meaning is 
different from the full relation on CO, gives smaller p.e.r.'s. 

4. Semantic interpretation of Quest c 

In this section we give the formal semantics of Quest c over the co-Set/PER model. 
The basic idea, for the inductive definition, is to interpret type environments as co-sets 
with a realizability notion which codes pairs as elements of a dependent sum. In this way, 
if for example E = (0, y: B, x: A), then [El contains all pairs: 

<e,a> with ee [0, y: Bj and ae [0, y: B h A typeje 
In this approach one has to interpret judgments, not just terms, as judgments contain the 
required information to interpret (free) variables. For example, the variable x is given 
meaning within the judgment E h x:A, say, for E as above. In particular, its interpretation 
[E h x:Ale', for a fixed environment value e' = <e,a>e EE], is the second projection and 
gives ae [0, y: B h A typeje. (See also [Scedrov 1988], [Luo 1988].) The projection is clearly 
a realizable map, that is, it is computed by the index of a partial recursive function. Note 
that the interpretation of closed terms depends on the judgments they appear in, in 
particular on the types they are assigned to. 

Moreover, the meaning of a judgment gives, simultaneously, the interpretation of a 
construct (kind, type, or term) and makes a validity assertion; for example, it says that a 
given term actually lives in the given type, under the given assumptions. 

Kinds, types, and terms are interpreted as maps from the co-set interpreting the given 
environment to co-Set, PER, and the intended type, respectively. As our morphisms are 
extensional functions, the interpretation is uniquely determined by their behavior on the 
elements of the environment. The indexes realizing these maps may be computed by 
induction, using as base the indexes for the projection functions. The crucial step is the 
interpretation of lambda abstraction and application for terms. For example, given a 
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realizer p for the map <e,A> l_> [E,X::K h b:Bke,A>, a realizer for e^lEh X(X::K)b : 
n(X::K)Bje is obtained by the recursive function s of the s-m-n (or iteration) theorem, 
namely by an index for n >-» s(<p,n>), where s(<p,n>)(m) = p(<n,m>). Similarly, any 
index for the universal partial recursive function gives the realizers for an applicative 
term. We prefer to leave to the reader the intensional details of the computations and 
focus on the extensional presentation of the interpretation maps. These maps already 
require a fair amount of detail for a full description and should not be further obscured by 
the explicit mention of the indexes of the realizable functions. 

Observe that, in a fixed environment, kinds are interpreted as co-sets, while types are 
p.e.r.'s. More precisely, operator kinds are functions which take an element of a kind 
(possibly a type) as input and give an element of a kind (possibly a type) as output. Also, 
these functions live in an co-set, which is obtained as an indexed product in the sense of 
3.1.6. 

As is common when dealing with CCC's, we make no distinction between an 
exponent object, the p.e.r. A-»B, say, and the set of morphisms, PER[A,B], it represents. 
Thus, the meaning of a term in PER[A,B], say, may be viewed either as a function from 
the p.e.r. A to the p.e.r. B, or as the equivalence class of its realizers in the p.e.r. A->B 
(see also definition 4.1.1.(1) below). This poses no problem with regard to co-Set, since 
an exponent object is exactly an (co-)set of (realizable) functions, as in the category of 
sets. 

4.1 Interpretation 

We interpret, in order, environments, kinds, types, and terms. 

Environments 

E = 0 [El = <{l},lh> where Vneconlhl 

E = E', X::K [El = <{<e,A> I ee [El a Ae [E h K kindle}, Ih E > 

where <n,m> Ih g <e,A> iff n Ih g' e and m Ih [[£?> |- k kindle A 

E = E, x:A [El = <{<e,a> I ee [El a ae [E h A typele}, Ih E > 

where <n,m> Ih g <e,a> iff n Ih g' e and m Ih [[£?' |- A typele a 

Kinds 

h E env Vee [El. [E h Tkindle = M 0 
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h E env 



Vee [EI IE h 2>(A) kindle = 2>[E hA typele 



h E env Vee [El [E h II(X::K)L kindle = (n Ae Eh K kind ] e G(A), lh nG > 

where G: [E h K kindle -> co-Set is given by 
G(A) = [E,X::K h L kindke,A> 

h E env Vee [El. [E h X(X::K)B :: n(X::K)Lle e n AeEh KkindIe [E,X::KhL kindl<e,A> 

such that VAelEhK kindle. 

(IE h X(X::K)B :: n(X::K)L]e)(A) = [E,X::K h B::Lke,A> 

h E env Vee [El. IE h B(A) :: L{X<-A}le = (DE h B:: n(X::K)Lle)([E h A::Kle) 

h E = E', X n ::K n , E" 

Ve = <...<e n A n >,->elEl. [E h X n ::K n le = A n e IE' h K n kindle n 

h E env Vee [El. [E h Top typele = CO = (co, coxco) 

h E env Vee [El. [E h II(X::K)B typele = n Ae lE h K kindIe [E,X::K h B typeke,A> 

h E env Vee [El. [E h A^B typele = [E h A typele -* [E h B typele 

Terms 

E = E , x n .A n , E 

Ve = <...<e n ,a n >,...>e[El. [E h x n :A n le = a n e [E' h A n typele n 

Vee [El. IE h top:Tople = CO 

Vee [El. [E h c A3 (a):Ble = q E h A typ eje,lE h B typeJed E h a : A fe) 

Vee [El. IE h X(X::K)b : n(X::K)Ble 

e n AelEh KkindlelE'X-K hB typel<e,A> 
such that VAe [Eh K kindle. 

(IE h X(X::K)b : n(X::K)Ble)(A) = [E,X::K h b:Bl<eA> 

Vee [El. IE h b(A) : B{X^A}le = (IE h b : n(X::K)Ble)([E h A typele) 



h E env 
h E env 
h E env 

h E env 
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h E env Vee [El [E h X(x:A)b : A^Bfle e lEhA typefle^lE h B typefle 

such that Vae lEhA typele. 

(IE h X(x:A)b : A-»B]e)(a) = ttE,x:A h b:Bke,a> 

h E env Vee [El [E h b(a) : Bfle = (IE h b : A-»B]e)(|[E ha:Afle) 

In view of the interpretation of kinds, types, and terms, the meaning of the judgments 
is the obvious one. The :: and : relations go to e for co-sets and p.e.r.'s, respectively; the 
relations <:: and <: are interpreted as subkind and subtype in co-Set and PER; finally, 
<::> and <:> are just equality. 

Indeed, by induction on types and terms, one may check directly that this is a good 
interpretation. In particular, one can check that all the given functions are actually 
realized, as mentioned above, and hence that types and terms inhabit the intended 
function and product spaces; see 4.1.2. (For example, [E h X(X::K)b : n(X::K)Bje is 
actually in n Ae j E |_ K kind j e [lE,X::K h B typel<e,A>.) However, this also follows from 
general categorical facts, namely the cartesian closure of co-Set and the observation that 
PER, viewed as Mq, is an internal CCC of co-Set where the internal product IT is right 
adjoint to the diagonal functor. (We obtain an internal model of Girard's Fco; see [Asperti 
Longo 1990] where the general categorical meaning of Fco is given.) 

The next theorem, whose proof is left to the reader, summarizes all these facts, and 
states the soundness of the interpretation. Before stating it, though, we set a better 
foundation for the interplay of the interpretations of "terms as functions" and "terms as 
equivalence classes". This is done by the following definition which extends the 
applicative structure of (CO, •) to equivalence classes, and also to the application of an 
equivalence class to an element of an co-set (cf. 3.1.7). 

Definition 4.1.1 

1 - Let A and B be p.e.r.'s. Define then, for n(A-*B)n and mAm, 

r nA^B- rm A = rn ' m B 

2 - Let (K, lh K > g co-Set and G: K -» PER. Set, for short, II = n AeK G(A) PER and 

define, for nlln, Ae K, and p lh A: 
r nrrA = r n-pG (A) 

(Note that "•" : TIxK UagK G ( a ) depends on K and G.) This is well defined as 
■"n-p^^) does not depend on the choice of the number p, which realizes A. □ 
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By this explicit reconstruction of the applicative behavior, one may more clearly 
understand equivalence classes in the p.e.r.'s A-*B and n AeK G(A) PER as functions in the 
due types. 



Theorem 4.1.2 

h E env => [El is a well-defined co-set 

E h K kind Vee [El lEhK kindle is a well-defined co-set 

E h A::K Vee [El. [E h A::Kle e [E h K kindle 

E h A type Vee [El. [E h A typele e M 0 

E h a:A Vee [El. [E h a:Ale e [E h A typele 

E h K <:: L Vee [El. lEhK kindle < [E h L kindle in co-Set 

E h A <: B Vee [El. [E h A typele < [E h B typele in PER 

EhK<::>L Vee [El. [E h K kindle = [E h L kindle 

E h A <:> B Vee [El. [E h A typele = [E h B typele 

Eha^b Vee [El. [E h a:Ale = [E h b:Ale □ 



4.2 Emulating coercions by bounded quantification 

In Quest c and in its current interpretation we have no subsumption, but instead we 
have coercions. This means that programs of the form 

(X(x:B)d)(a) where a:A<:B (with A^B) (1) 
are not legal: an explicit coercion has to be applied, as in 

(?i(x:B)d)(c A)B (a)) (2) 

In this latter case, one may avoid both subsumption and coercions and recast (1) via 
an additional bounded quantifier: 

(k(X<: B)X(x:X)d)(A)(a) (3) 
It is clear that (3) has the same effect as (1) or as (2), since this is how (1) can be correctly 
expressed in our current framework, by coercions. The fact that (2) and (3) are equivalent 
is a fairly deep property of the semantics, relating a bounded quantifier to a coercion. In 
general, this is not derivable from the syntax. 

The following theorem states that, semantically, coercions can be removed in favor of 
bounded quantifiers. 

Recall that E ha : A a E hA <: B => E hc A B (a) : B. 
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Theorem 4.2.1 

Assume that E h d : D, E h a : A and E h A <: B. Then, in PER one has 
(X(X<:B)Mx:X)d)(A)(a) = (^x:B)d)(c A3 (a)) 

Proof 

For simplicity, we fix an environment e and identify types A, B, and D with their 
meanings as p.e.r. in e. 

Set n = n x < B X^D and let r n u = [Eh (X(X<:B)X(x:X)d) : n(X<:B)(X^D) Je e II. 
Then r n n n -C = n-p^D for any C, such that E h C <: B, and any p, since any number p 
realizes C, when C < B, by definition of the power quasi-functor. 

Let now m be such that [Eha: Ale = r m A . Then c^bO^a) = m B an( ^ : 
I E h (X(X<:B)A<x:X)d)(A)(a) : D fle 
= r n n .A. r m \= r n-p A^ D - r m n A = r n-p-m n D 
= r n-p"' B ^ D - r m n B where n-p(B-*D)n-p by 4.1.1(1) 
= n n .B. r m B by 4.1.1(2) 
= lEh (A,(X<:B)X(x:X)d)(B)c A>B (a) : D le 
= lEh (X(x:B)d)c AjB (a) : D le by the syntax. □ 

In Quest c , we dropped the subsumption rule in favor of coercions. However, there is 
also a proof-theoretic reason to warn the programmer about the use of subsumption in 
connection with (n.); namely, the equational system of typed terms would not be Church- 
Rosser any more (with respect to the obvious reduction rules). Consider say: 

X(x:A)(X(y:B)e)x (with x £ FV(X(y:B)e)) 
where x is not free in X(y:B)e, and let A <: B. 

In the presence of subsumption, this program would type-check, for any e and C such 
that e:C. However, 

X(x:A)(X(y:B)e)x ~* X(y:B)e : B -* C by (n) 

X(x:A)(X(y:B)e)x X(x:A)e : A -* C by (p) 

and confluence would be lost. Because of this, we abandon (r() in part 5. 

In Quest c , the program one has in mind when writing X(x:A)(X(y:B)e)x, is actually 
described by the polymorphic term: 

l(x:A)(k(X<:B) X(y:X) e)(A)(x) 
which yields confluent reductions. 

For this reason, (r|) is adopted in Quest as an equality rule, but not as a computation 
rule. 

5. Semantic interpretation of Quest 

In this section we model the original version of Quest, namely the language based on 
the subsumption rule [TSub/ Quest] of section 2.9, instead of on coercions. 
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Subsumption is important for at least two reasons. First, programming with explicit 
coercions becomes too cumbersome; much of the appeal of subtyping has to do with the 
flexibility and compactness provided by subsumption. Second, subsumption is intended 
not as an arbitrary coercion, but as a coercion that performs no work; this is essential for 
capturing the flavor of object-oriented programming, where subsumption is used freely as 
a way of viewing objects as members of different types. 

Hence we feel we are justified in presenting more complex semantic techniques in 
order to give a faithful representation of subsumption. 

Let (£>, • ) be a model of type-free lambda calculus. The construction of the categories 
2>-Set and PER^ over (£>, ■ ) works similarly. Indeed, all the work carried on so far can 
be easily generalized to any (possibly partial) Combinatory Algebra or model of 
Combinatory Logic. In view of the relevance of Kleene's realizability interpretation of 
Intuitionistic Logic for these models, it is fair to call "realizability structures" the 
categories ©-Set and PERjp over a Combinatory Algebra (£>,•). As already mentioned, 
we preferred (CO, •) as it is more directly related to Kleene's work and because of the 
immediate intuitive appeal of classical recursion theory. However, we now need to be 
able to give meaning to type-free terms, which cannot be done over (CO, •)• For this 
purpose, we work over an arbitrary X-model: that is, an applicative structure (£>, ■ ) with 
an interpretation 2fl - 1 of X-terms defined, say, as in [Hindley Longo 80] or [Barendregt 84]. 

The interpretation of Quest is given in two steps. First we translate typed terms into 
terms of the type-free calculus, by "erasing-types". We add to the latter only a constant 
symbol "top", in order to take care of the corresponding constant in Quest. 

In the second step, we use the meaning of the erased terms to interpret typed terms. 
Environments, kinds, and types will be interpreted as in Quest c , except for an 
"isomorphic change" in the interpretation of product types. As for types in particular, this 
interpretation is possible since, in view of our formal definition of subkinds and of its 
semantics, we had no kind coercions even in Quest c , but just type coercions. 

Terms may still be understood as morphisms, in the due types. We already used the 
identification of morphisms with the equivalence classes of their realizers. In the 
interpretation of Quest we exploit this correspondence and interpret typed terms directly 
as equivalence classes, with no ambiguity. 

Briefly, for each environment e = <...<e n ,a n >,...> e [E] we choose an environment 
map s e : Var -» £> which picks up an element of the equivalence class a n . Then, by using 
these environment maps, we interpret a typed term as the equivalence class which 
contains the interpretation of its erasure. 

The interpretation will not depend on the particular choice of the environment map. 
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5.1 Preliminaries and structures 

The categories (D-Set and PER^over (£>, ■ ) are defined exactly as co-Set and PER^ 
over (CO, ■), in 3.1.1 and 3.1.2. However, their use in the semantics of Quest will be 
slightly changed in a crucial point. Second-order impredicative quantification will not be 
interpreted exactly by the set-theoretic indexed product of realizable functions, as in 
3.1.7. We will use instead an isomorphic, but not identical, interpretation of this 
quantification by p.e.r.'s obtained as a straightforward set-theoretic intersection. This is 
made possible by the following simple, but fundamental theorem, which establishes a 
connection between the previous interpretation of higher-order quantification and the one 
given in [Girard 72] and [Troelstra 73]. It was first suggested by Moggi and actually started 
most of the recent work on the semantics of polymorphism, by suggesting that Girard's 
model could be given a relevant categorical explanation. (See remark 3.1.5.) We use it 
here as a tool for our semantic interpretation of Quest. We report its proof since it matters 
for our purposes, as we point out in remark 5.1.2. Note first that, if {Aj}j e j is a collection 
of p.e.r.'s, then DieiAj is also a p.e.r. by 

n(Hi e iAj)m iff n Aj m for all ie I 

Theorem 5.1.1 

Let (A, lh A > g 2>-Setbe such that lh A = DxA and let G: A -» PERjp. Then: 
(n aeA G(a)) PER2) = n a6A G(a)inPER 2> 
Proof ([Longo Moggi 88]) 

Let S = Plae A^(a) e PERjp. By definition both n ae A G(a) PER2) and S are in PERjp. 
Thus we need to define a bijection H: S -> Tl ae A G(a)p ER2) and prove that it is realized 
with its inverse. 

Let H( r n"g) = Xae A. r n G ^. Clearly, H(n n §) e Tl ae A G(a) and H is well defined, since 
= r m~' s implies, n G(a) m for all ae A, and hence r n G ( a ) = r m~ G ( a ). 
Consider now the combinator k such that k-p-q = p, for all p, q e T>. Then k-n realizes 
H( r n n s ), since 

Vae A. Vq lh A a. kirq = ne r n G(a) = H( r n s )(a), 
and k realizes H. It is easy to observe that H is injective. Let us prove that H is surjective. 
If h e Il ae A G(a), then by definition, 3m \\~hq h; that is, 

3 m. Vae A. Vq lh A a. nrq II - G(a) n ( a ) or ' equivalently, 

3 m. Vae A. Vqe { D. h(a) = r m-q"' G ( a ), as lh A = Ox A 
Fix now an element 0 of £>. Then, for n = nrO, we have Vae A. n G(a) n, that is, n S n. In 
conclusion, Vae A. H( n"' s )(a) = r n~Q( a ) = h(a), that is, H( n n s ) = h. Therefore H" 1 exists and 
it is realized by any p e £> such that p-m= m-0, for all m e 2). □ 
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Remark 5.1.2 

The key idea in the proof consists in defining the applicative or functional behavior of 
each equivalence class r n§ say, in S = Plae A^(a) e PER^ by setting 
r n s -a = r n G(a) 

This is how, to within isomorphism, n n s defines a function in n aeA G(a). Observe that, 
when the isomorphism is given by the "constant-constructor" combinator k, the proof 
relates this notion of application to the application n^-a = n-p~Q( a ), for p lh A a, as 
defined in 4.1.1. Indeed, n-p~Q( a ) is constant with respect to p, under the assumption lh A = 
DxA in 5.1.1. The next proposition shows that this assumption is satisfied by the ©-sets 
we are interested in: that is, by the definable ones, in the language of Quest. □ 

Proposition 5.1.3 

Let h E env and E h K kind. Then, for all ee [El, [EhK kindle is a ©-set (A, lh A > 
with lh A = DxA. 
Proof 

This is clearly true for the base of the induction, in view of the interpretation of T and 
^P(C), for any type C. (Recall that one even has 1 = T (Top) ). Consider now E h 
n(X::K)Lkind. Then: 

VeelEl. IE h n(X::K)L kindle = <n AelEh KkindIe [E,X::KhL kindl<e,A>, lh nG >, 
where G(A) = [E,X::KhL kindl<e,A>. By induction, just assume that, for all e and A, the 
©-set L(e,A) = [E,X::KhL kindl<e,A> has the full lh L relation. Then any set theoretic 
function f in x Ae j E |_ K k j nc j]] e [lE,X::KhL kindl<e,A> is realized by any n e ©, since one 
always has n-plh L f(A), no matter which Ae [Eh K kindle and p are taken. □ 

Remark 5.1.4 (For readers with some experience in Category Theory.) 

Continuing from remark 3.1.5. In [Hyland 87] and [Longo Moggi 88], the existence of a 
(internal) right adjoint to the diagonal functor, that is, the small completeness of PER in 
the Effective Topos or in (O-Set, is shown by taking exactly the intersection as product 
(see [Asperti Longo 90] for details). This fully justifies the interpretation below of second- 
order impredicative types as intersections. □ 

5.2 Interpretation l-V 

We now translate typed terms into terms of the type-free calculus, by erasing all type 
information. The type-free X-calculus is extended by a constant symbol, top. 

Definition 5.2.1 

The translation map erase from typed terms into type-free terms is defined by 
induction on the structure of terms: 
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erase(x) = x 
erase(top) = top 
erase(k(x:A)b) = ht. eraseQo) 
eraseQo(a)) = eraseQo)erase(a) 
erase(k(X::K)b) = eraseQo) 
eraseQo(A)) = eraseQo) □ 

With the preliminaries above, it is now straightforward to implement our idea: a typed 
term is interpreted by the equivalence class of its erasure, with respect to its type as p.e.r.. 
We then need to show that this interpretation is sound. Indeed, this interpretation 
generalizes a theorem stated in [Mitchell 86] and tidily relates to the alternative approach to 
the semantics of the subsumption rule [TSub / Quest] in [Bruce Longo 89]. Observe that this 
interpretation, in contrast to the early attempt in [Bruce Longo 89], is direct. This is made 
possible by the use of theorem 5.1.1, since by erasure the meaning of a second-order 
typed term becomes an element of the intersection of all the types which form its range. 
For example, the polymorphic identity function X(X::1) A,(x:X) x : n(X::'Z) (X-*X) will 
be interpreted as the equivalence class of the type-free identity Xx.x, which happens to 
live in A-*A, for any type A. 

Note finally that, since the interpretations of type-free terms are elements of £>, while 
the elements of types as p.e.r.'s are equivalence classes, we need a choice map to obtain 
an environment for type-free terms from an environment for typed ones. This is done by 
the following definition. 

Definition 5.2.2 

Given E = E', x n :A n , E" and e = <...<e n ,a n >,...> e [El, fix s e : Var -» © such that 
s e (x n ) e a n e IE' h A n typel'e n , where [El is defined as in section 4.1, and [E' h A n 
typel'e n is the interpretation of types given below. □ 

Note that s e is defined only on term variables and gives no meaning to X::K. The 
interpretation below will not depend on the choice of s e . Recall that lA - 1 is the 
interpretation of type-free terms in (£>, • ). 

Environments 

lEf coincides with [El for Quest c 
Kinds No change. 
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Types No change, except for: 



h E env Vee [El [E h n(X::K)B typel'e = fUe ffih K kindJ'eI E > x " KKB typel'<e,A> 

Terms 

h E env Vee [El'. [E h a : Al'e = r lAerase(a)}sQ^ \- a typel'e 

Since higher-order quantification is interpreted as intersection, by an even easier 
proof than for Quest c , we have: 

Lemma 5.2.3 

E h A<:B implies Vee [El'. [E h A typel'e < [E h B typel'e □ 
The following theorem proves the soundness of the interpretation. 
Proposition 5.2.4 

The interpretation [ 1' is a well-defined meaning for kinds, types, and terms over (D- 
Set and PER^ 
Proof 

We need to check only the result for terms, since kinds pose no problem, and there 
has been enough discussion concerning types and the use of intersection as product. 
Recall from proposition 5.1.3 that [Eh K kindl'e is a 2>set with the full relation. 

Thus we show by induction on the derivation that, for each E h a : A, £>[erase(a)ls e is 
in the domain of [E h A typel'e and that it has the correct functional behavior. 

C<isc E — E , Xj|.A.j|, E I Xj|.A.j| 

h E env Vee [El'. [E h x n :A n l'e = r s e (x n ) n E h A typeFe 
which corresponds to 

Ve = <...<e n ,a n >,...>e[El. [E h x n :A n l'e = a n e [EhA n typel'e n 

Case E h top: Top 

Just recall that CO is the only element of CO. 

Case E h b(a) : B 

Vee [El 1 . [E h b(a) : Bl'e = r 2|erase(ba)ls e "'j E |_ B type ]' e 
= r 2fcase(b)erase(a)ls e n lEh B typeFe 

= ( r !D[erase(b)lse lEh A ^ B typeFe ) ■ ( r !D[erase(a)ls e n lE h A typeFe ) 
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= (IE hb : A-*B]'e) ■ (IE ha:Al'e) 
where application between equivalence classes is defined as in 4.1.1. 
This simultaneously proves that II - F decomposes soundly and that £>fferase(ba)ls e is in 
dom([E h B typel'e). 

Case E h X(x:A)b : A^B 

VeeHEF. IE h X(x:A)b : A^Bl'e = r 2)Rx.erase(b)lse [ E |_ A ^ B type j< e 
which is well defined because by induction, from the semantics of E, x:A h b : B, one has 
for all ne £> : 

n (IE h A typel'e) n => (2flerase(b)]s e [n/x]) is in dom(lE h B typel'e) 
Thus £>[Xx.erase(b)ls e is in dom([E h A-*B typel'e), by virtue of the familiar substitution 
lemmas in the type-free model (£>, • , £fl - 1). (See [Barendregt 84].) 

Case E h X(X::K)b : n(X::K)B 

VeelEl'. [E h X(X::K)b : n(X::K)Bl'e = r 2fcase(b)ls e \ 
where E = n A .. K {[E h B{X<-A} typel'e}. (Note that, by the usual substitution 
techniques, one has [E h B{X^A} typel'e = [E,X::K h B typel'<e,A>, where we keep 
identifying the semantic and the syntactic type A by an abuse of language.) This is well 
defined just as before, since, by induction, one has: 

E,X::K h b : B implies 2fcase(b)ls e is in dom(lE,X::K h B typel'e) 
However, in contrast to the previous case, 2lerase(b)ls e does not depend on X::K while 
B and its semantics do. Exactly because of this, for all types A one has 

2fcase(b)ls e is in dom([E h B{X^A} typel'e) 
and thus £>(Ierase(b)ls e is in dom(Z). The next case describes also the applicative behavior 
of [E h X(X::K)b : n(X::K)Bl'e. 

CaseEhc(A) : B{X^A} 

VeelEl'. IE h c(A) : B{X<-A}l'e = r 2ferase(c)lse lE h B{X^A} typel'e 
by the definition of erase. Observe now that one must have E h c : n(X::K)B. By setting 

E = n A::K {[EhB{X^A} typel'e} 
by the previous case and the definition of erase, one has 

VeelEl'. lEhc: n(X::K)Bl'e = r 2fease(c)ls e \ in dom(Z) 
Thus, for all A 2fcase(c)ls e is in dom([[E h B{X^A} typel'e). 

By this and by the definition of application of an intersection class to a p.e.r., given in 
5.1.2, compute 

2fe-ase(c)lsg h B{X^A} typel'e = ( r 2fcase(c)ls e n E ) • (IE h A typel'e) 
= (IE h c:n(X::K)Bl'e) • (IE h A typel'e) □ 

We have also proved: 
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Corollary 5.2.5 

If h E env, then Vee [El lEha: Afl'e e lEhA typel'e. □ 



It is a minor variant of the work done for Quest c to check fully that we provided an 
interpretation for Quest (that is, that the analogue of theorem 4.1.2 holds for Quest). The 
crucial point is the validity of the subsumption rule: 

E h a : A E h A <: B 
Eha: B 

This rule is valid simply because the interpretation of the term a, say, comes with the 
meaning of the entire judgment Eha:AorEha:B. We gave this meaning in such a 
way that it automatically coerces a to B in the semantics when interpreting Eh a : B. 
Indeed, the meaning of E h a : A is an equivalence class in the p.e.r. lEh A typel'e 
(together with the assertion that it actually belongs to the class), while the meaning of [E 
ha:Bl'e is an element of the p.e.r. lEhB typel'e, which is in general a larger equivalence 
class. 

It is worth noticing the essential role of the interpretation of polymorphic types as 
intersections. The isomorphism between product and intersection in 5.1.1 is the core of 
this interpretation. (See the last two cases in 5.2.1.) It says that type erasing does not 
affect the meaning of polymorphic terms, modulo equivalence classes, and reduces the 
entire challenging business of how to apply a term to a type, to a simple type coercion in 
the model. That is, V s -A = Vq^), which interprets the polymorphic application for S = 
HaskG(A) (see 5.1.2), corresponds to coercing r n n s to the generally larger equivalence 
class r n G(A) . 

This has a clear mathematical and computational meaning. Mathematically, it derives 
from the fact that the maps from any 2>set with the full realizability relation to a p.e.r. are 
constant functions. (See [Longo Moggi 88], or prove it for exercise.) This is a simple feature 
inherited from a deep fact: the validity of the Uniformity Principle in the Realizability 
Universe, which is the categorical background of this construction [Longo 88]. 
Computationally, it says that at run time we disregard types, or that computations are 
type-free, in particular the computation of a polymorphic term. However, given a 
computation n of type HagkCKA), it happens that n is equivalent to more computations 
when updated to type A: namely, all those in r n G ( A ). 

In [Bruce Longo 89] yet another interpretation of Fun, the progenitor of Quest, is given. 
The idea, in that paper, is to use the interpretation of the language with coercions in order 
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to give meaning to the one without coercions. This is based on a series of theorems which 
relate abbreviated terms (that is, terms where all coercions are erased) to their fattening s 
(that is, terms where coercions are put back in place). More precisely, in our language, 
given E h c a : A, a judgment in Quest c , abbrev(a) is obtained by erasing all coercions. 
Then, for E h b : B in Quest, b' is a fattening when abbrev(V) = b. The ^-interpretation 
of the judgment E h a : A in Quest, is given by setting: 

SXttE h a : Ale = IE h c a' : Alb 
where [E h c a' : Ale is the semantics in part 4, for a fattening a' of a. 

With some work, [Bruce Longo 89] showed that this is well defined. Indeed, it coincides 
with our current interpretation [ - 1'. In other words, by the results in [Bruce Longo 89] and 
some further work, we claim that, given a model of the type-free X-calculus and the 
realizability structures over it as models of Quest, one has: 

QllE h a : Ale = [E h a : Al'e 
Observe finally that this interpretation is "coherent", in the sense of [Curien Ghelli 89], since 
by definition it depends only on the proved judgment and not its derivation. More 
generally, the model satisfies the conditions in the coherence theorem in [Curien Ghelli 89]. 

6. Conclusions 

We have described a formal system, which can be considered the kernel of the Quest 
language, and we have investigated a particularly attractive approach to its semantics. 
The formal system requires a lot of semantics models, probably more than any previous 
typed system. Fortunately, PER models promise to satisfy all the required features, and 
more (e.g. dependent types). More work needs to be done both on the syntactic side, 
studying the properties and the degree of completeness of the formal system, and on the 
semantic side, mostly with respect to recursion and recursive types. 
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